Configuration items in Configuration Manager 2007 define a discrete unit of configuration to assess for compliance. They can contain one or more elements and their validation criteria, and they typically define a unit of configuration you want to monitor at the level of independent change.
Configuration items are the building blocks for configuration baselines, and consequently the same configuration item can be used in multiple configuration baselines.
Configuration Manager 2007 supports the following configuration item types:
- Operating system configuration item
- A configuration item to determine compliance for settings relating to the operating system version and configuration.
- Application configuration item
- A configuration item to determine compliance for an application. This can include whether the application is installed as well as details about its configuration.
- General configuration item
- A configuration item to determine compliance for general
settings and objects, where their existence does not depend on the
operating system, an application, or a software update.
Note In desired configuration management reports and in the XML definition view, this configuration item type is referred to as a business policy configuration item.
- Software updates configuration item
- A configuration item to determine compliance of software updates using the software updates feature in Configuration Manager 2007.
You cannot import, create, or configure software updates configuration items in the Desired Configuration Management node. Instead, these are made available to configuration baselines through the software updates feature when software updates are downloaded. This means that software updates configuration items can be selected to be included in configuration baselines although they are not displayed under the Configuration Items node.
The other configuration items can be imported, created, and configured with the Configuration Manager console. These configuration items display a number of properties, which include the following:
- General
- Objects
- Settings
- Windows version
- Applicability
- Detection method
The objects and settings properties retrieve the configuration information by using providers. The objects that can be defined are assembly, file or folder, and the registry. The settings that can be defined are XML queries, WQL queries, SQL queries, scripts, registry, Active Directory Domain Services, and the IIS metabase.
The properties that are available to each configuration item depend on the configuration item type. For example, you can configure an operating system configuration item to check for the exact version of the operating system. This property is not applicable to the other configuration items, so you will not see the Windows Version property available for other configuration items.
The following table lists the configurable properties of a configuration item in Configuration Manager, and it shows whether the configurable property is available for each configuration item type.
Key: |
√ = Available property |
Ø = Property not available |
Configuration Item Type | General | Windows Version | Objects | Settings | Detection Method | Applicability | Security |
---|---|---|---|---|---|---|---|
General |
√ |
Ø |
√ |
√ |
Ø |
√ |
√ |
Application |
√ |
Ø |
√ |
√ |
√ |
√ |
√ |
Operating System |
√ |
√ |
√ |
√ |
Ø |
Ø |
√ |
Software Updates |
√ |
Ø |
Ø |
Ø |
Ø |
Ø |
√ |
With the exception of software updates configuration items, you can view and edit the properties of each configuration item in the Configuration Items node under Desired Configuration Management in the Configuration Manager console. Use the Software Updates node to view and edit software updates configuration items.
In addition to the configurable properties of a configuration item in the Desired Configuration Management node, you will also see displayed audit information in the General properties, which displays when the configuration item was created, when it was last edited, and by whom. Additionally, a Relationships property tab displays how the configuration item relates to other configuration items and configuration baselines.
Child Configuration Item
A child configuration item is a copy of a configuration item that continues to inherit the properties of the original configuration item. You cannot modify the child configuration item's inherited objects and settings with their validation criteria, but you can add additional validation criteria to the inherited objects and settings, and you can also add new objects and settings to the child configuration item. Therefore, the usual purpose for creating and editing a child configuration item is that it refines the original configuration item to meet your business requirements.
Important |
---|
you cannot add Windows security permissions to child configuration items. In this scenario, you must create a new configuration item with the same object, and define the permissions required. |
Because of the dependency relationship of properties inherited from the parent to the child configuration item, modifying the original configuration item will affect the child configuration item.
Child configuration items are appropriate when you have imported configuration data from a Best Practices configuration baseline and you want to be able to update the configuration data when new versions are released that will continue to pass their properties onto the child configuration item.
Another scenario for using child configuration item is when you need to retain inheritance for a greater level of administrative control. For example, you can use a child configuration item if you have a configuration item that defines a corporate security policy that all computers must comply with, but your finance department computers are subject to additional security requirements. In this situation, you might create a child configuration item from the corporate security policy configuration item. The child configuration item inherits all the properties from the corporate security policy, but it is edited to contain the additional security requirements. If the corporate security policy changed, the original configuration item could be modified without having to also modify the configuration item for the computers in the finance department. Similarly, if the requirements for the finance department computers changed, only the child configuration item would need to be modified and not the original configuration item that defines the corporate security policy.
Duplicate Configuration Item
A duplicate configuration item is an exact copy of another configuration item that does not retain any relationship to the original configuration item.
You can use a duplicate configuration item as a template to modify just a few properties and independently retain both configuration items, or you can use it when you have imported a read-only configuration item (for example, from a Microsoft System Center Configuration Manager 2007 Configuration Pack) and want to use the configuration item with modification and not retain any inheritance from the original configuration item.
Additionally, if you want to use an imported configuration item but delete from it objects or settings (or their related validation criteria), your only editing choice is to create a duplicate configuration item and edit that duplicate configuration item accordingly.
Uninterpreted Configuration Item
Imported configuration items might not display all their objects and settings in the Configuration Manager console. In this scenario, Configuration Manager displays as much as it can interpret. If the imported configuration item does not contain any data that it can interpret, the Configuration Manager console displays it as an uninterpreted configuration item. This icon displays as follows:
Uninterpreted Configuration Icon
Although the Configuration Manager console is not able to display the properties of these configuration items, you can still add them to configuration baselines, and the configuration data is correctly interpreted by client computers when they evaluate their compliance.
When the Configuration Manager console cannot interpret some or all of the configuration content in an imported configuration item, you cannot create duplicate configuration items from it, or create a duplicate configuration baseline that references it. If some of the configuration content can be interpreted, you can create a child configuration item from it.
However, you cannot create child configuration items if the Configuration Manager console cannot interpret any of the configuration content (an uninterpreted configuration item).
When the Configuration Manager console cannot interpret the configuration content, this will also result in blank fields in the desired configuration management reports. For example, you will not see data for the setting or object properties.
For more information about uninterpreted configuration items, see About Authoring Configuration Data for Desired Configuration Management.
See Also
Tasks
Problems Editing Configuration Data in the Configuration Manager ConsoleConcepts
About Configuration Baselines in Desired Configuration ManagementAbout Content Versions in Desired Configuration Management
Determine If You Need To Author Configuration Data Outside the Configuration Manager Console for Desired Configuration Management
Determine If You Need to Create Child Configuration Items for Desired Configuration Management
Determine If You Need to Create Configuration Items for Desired Configuration Management
Determine If You Need To Create Duplicate Configuration Baselines or Duplicate Configuration Items for Desired Configuration Management
Determine If You Need to Import Configuration Data for Desired Configuration Management
Step-by-Step Guide to Authoring Configuration Items in Desired Configuration Management
Other Resources
How to Configure Configuration Items for Desired Configuration ManagementHow to Manage Configuration Baselines and Configuration Items for Desired Configuration Management